05.04.2015 Author: Konstantin Asmolov

North Korean Hackers or South Korean Disorderliness?

nk-military-computersAs it turned out, mysterious ‘DPRK combat hackers’ delivered a new strike: South Korea accused North Korea in hacker attacks on the computer systems of its NPPs, accomplished at the end of 2014. As it turned out, the computers from which the attack was launched, were located in the North-East of PRC, in Shenyang, as well as in a number of other cities, located not far from the border with DPRK. There were also identified other coincidences with the previous hacker attacks, which have been ascribed to Pyongyang.

Let us recall that last December unknown ‘representatives from the anti-nuclear group from Hawaii’ hacked and posted in the public domain personal data information about employees of the company – NPP operator, as well as drawings of certain reactor assemblies. The same hackers recently re-appeared, having again posted new drawings of some key assemblies of the South Korean NPPs. This time they demanded money for their silence, claiming that out of 16,000 viruses that they had launched, only 7,000 were identified and neutralized. In response, the Republic of Korea (RK) authorities declared that some of personal and work computers of the employees of the company – NPP cooperator were indeed contaminated, but all those programs had been neutralized, and nothing endangers the safety of nuclear reactors.

As the Prosecutor’s office representative advised, ‘the nature of the used IP-addresses and codes coincides by 70% percent’ in the composition and methods of influence with the malicious software used by North Korean hackers who wanted to ‘impede the South Korean PNN operation through damaging computers’ hard disc drives’. The investigation proved that the cyber-attack was made between 9th and 12th of December 2014 via mailout to the e-mail addresses of the corporation employees of phishing letters with malicious code. The attackers made more than 200 connections from the Chinese city of Shenyang, where, in the Prosecutor’s Office opinion, one of the main bases of the North Korean hackers is located.

Why, each time when a major bank or an important enterprise becomes a target for a hacker attack, it is immediately turns out that it was North Korean hackers. Even though when some time later tales of a corporate scandal related to an outrageous irresponsibility inside the company float to the surface. For example, few remember that in March 2013 the RK government officials informed that the infamous attack against a number of TV companies and banks had been launched from the RK territory, and not from a Chinese IP, as it had been declared earlier. Without mentioning who in particular was behind the attack, it was stated that the fighters with cyber threat had mistaken a private address used within the Nonghyup Bank with the official IP belonging to PRC. Furthermore, with regard to that widely advertized attack, only four days after it, it was found out that in fact the attacks had come from RK and the alleged hacker was arrested.

Frankly speaking, if hackers really ‘wanted to impede the South Korean NPPs operation through damaging computers’ hard disc drives’, as well as ‘to post company’s confidential documents on the internet’, does it mean that the NPP control computers with the software are the same Internet-connected machines with the hacked mail of the employees? If yes, then there are either obvious violent problems in safety systems or it was only a mail hack as a result of which the hackers got access to all correspondence which was stored on the Google disc.

But it is one thing to demonstrate own disorderliness to public at large and quite another – to become a victim of secret computer services of a terrible totalitarian regime. Feel the difference, without forgetting the ‘Stonefish Law’: North Korea is so mysterious and closed that anything can happen there. North Korean hackers can penetrate into a company’s internal network that is not connected to ‘the outside world’, using at the same time skills from a toolkit of high school computer hooligans. This is not the notorious Stuxnet – the malicious software that deactivated Iranian centrifuge control systems (made by Siemens, Windows-operated without Internet connection).

Furthermore, for some reason all bases of North Korean hackers are always found in China. No one cares, that since the appearance of the new PRC leader the relations between the two countries have grown noticeably cold, and in general that Beijing does not like it when China is used as a smoke-screen for someone else’s undercover operations. But instead there is an unshaken argument: the type of these hacker attacks reminds the previous attacks, which we considered to be the product of the North Korea’s activity. Though similar methods (rather, types of software) can be found not only in the attacks on the South Korean sites, but also in other attacks that have nothing to do with North Korea, and the source code of these programs has long been on open access, which means that any cyber criminal can use it. IP-addresses are not an indicator, since any mentally sane hacker who gets a possibility to send messages from a network of addresses (so called botnet) of even minimal size does not want to give away any IPs besides those used by botnet.

In this contest one can’t but remember another ‘North Korean cyber attack’ related to the film ‘The Interview’. There too, despite a number of discrepancies, DPRK was appointed guilty and under this pretext additional sanctions against it were adopted, though from the very beginning one was tempted to ask a question: ‘Where from did the alleged North Korean hackers get the engineering capacity, required for launching such an attack, and what is more important – where from did they get the advanced knowledge of the US cultural context’? Both, the assortment of the stolen and where the information was posted and to which journalists it was leaked proves that hackers know very well the internal American audience.

In sum: practically in each case of the ‘North Korean cyber attack’ common corruption and disorderliness float to the surface, and actual DPRK involvement remains doubtful. But due to the ‘hacker theory’ one kills two birds with one stone. Loafer turns into a victim, Pyongyang gets ‘+1’ to demonization and it is possible to pump out additional funds for fighting enemy hackers, as the North Korean computer threat is so serious!

Konstantin Asmolov, Candidate of Historical Sciences, Senior Researcher at the Center of Korean Research of the Institute of Far-Eastern Studies with the Russian Academy of Sciences, exclusively for the online magazine “New Eastern Outlook”.

Please select digest to download: